From 879095c450843534cb9acfc39397391845707b29 Mon Sep 17 00:00:00 2001
From: Firstyear <william@blackhats.net.au>
Date: Fri, 27 Sep 2019 09:57:53 +1000
Subject: [PATCH] Implement #90 - allow self write to name, displayname, and
 legalname. (#105)

* Implement #90 - allow self write to name, displayname, and legalname.

This is an important aspect to respecting peoples autonomy and identities
so that they can change their name when appropriate to them. Limit self read/write to live accounts, and prevent anonymous self-write
---
 kanidmd/src/lib/constants.rs | 25 ++++++++++++++++++++++++-
 kanidmd/src/lib/server.rs    |  1 +
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/kanidmd/src/lib/constants.rs b/kanidmd/src/lib/constants.rs
index 5186bc21a..b67365038 100644
--- a/kanidmd/src/lib/constants.rs
+++ b/kanidmd/src/lib/constants.rs
@@ -332,7 +332,7 @@ pub static JSON_IDM_SELF_ACP_READ_V1: &'static str = r#"{
         "description": ["Builtin IDM Control for self read - required for whoami and many other functions."],
         "acp_enable": ["true"],
         "acp_receiver": [
-            "\"Self\""
+            "{\"And\": [\"Self\", {\"AndNot\": {\"Or\": [{\"Eq\": [\"class\", \"tombstone\"]}, {\"Eq\": [\"class\", \"recycled\"]}]}}]}"
         ],
         "acp_targetscope": [
             "\"Self\""
@@ -349,6 +349,29 @@ pub static JSON_IDM_SELF_ACP_READ_V1: &'static str = r#"{
     }
 }"#;
 
+pub static _UUID_IDM_SELF_ACP_WRITE_V1: &'static str = "00000000-0000-0000-0000-ffffff000021";
+pub static JSON_IDM_SELF_ACP_WRITE_V1: &'static str = r#"{
+    "attrs": {
+        "class": ["object", "access_control_profile", "access_control_modify"],
+        "name": ["idm_self_acp_write"],
+        "uuid": ["00000000-0000-0000-0000-ffffff000021"],
+        "description": ["Builtin IDM Control for self write - required for people to update their own identities in line with best practices."],
+        "acp_enable": ["true"],
+        "acp_receiver": [
+            "{\"And\": [\"Self\", {\"AndNot\": {\"Or\": [{\"Eq\": [\"class\", \"tombstone\"]}, {\"Eq\": [\"class\", \"recycled\"]}, {\"Eq\": [\"uuid\", \"00000000-0000-0000-0000-ffffffffffff\"]}]}}]}"
+        ],
+        "acp_targetscope": [
+            "\"Self\""
+        ],
+        "acp_modify_removedattr": [
+            "name", "displayname", "legalname"
+        ],
+        "acp_modify_presentattr": [
+            "name", "displayname", "legalname"
+        ]
+    }
+}"#;
+
 /*
 pub static _UUID_IDM_ADMINS_ACP_MANAGE_V1: &'static str = "00000000-0000-0000-0000-ffffff000005";
 pub static JSON_IDM_ADMINS_ACP_MANAGE_V1: &'static str = r#"{
diff --git a/kanidmd/src/lib/server.rs b/kanidmd/src/lib/server.rs
index 15f62ff6f..a0c533b13 100644
--- a/kanidmd/src/lib/server.rs
+++ b/kanidmd/src/lib/server.rs
@@ -1601,6 +1601,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
             // JSON_IDM_ADMINS_ACP_MANAGE_V1,
             JSON_IDM_ALL_ACP_READ_V1,
             JSON_IDM_SELF_ACP_READ_V1,
+            JSON_IDM_SELF_ACP_WRITE_V1,
             JSON_IDM_ACP_PEOPLE_READ_PRIV_V1,
             JSON_IDM_ACP_PEOPLE_WRITE_PRIV_V1,
             JSON_IDM_ACP_GROUP_WRITE_PRIV_V1,